For full text search please use the '?' prefix. e.g. ? Onboarding

Network Analysis - Ransomware

  1. What is the operating system of the host from which the network traffic was captured? (Look at Capture File Properties, copy the details exactly) (3 points)

    Click the little paper icon in the bottom left corner.

    Answer: 32-bit Windows 7 Service Pack 1, build 7601

  2. What is the full URL from which the ransomware executable was downloaded? (3 points)

    Can be seen in packet #59.

    Answer: http://10.0.2.15:8000/safecrypt.exe

  3. Name the ransomware executable file? (2 points)

    Can be seen in packet #436.

    Answer: safecrypt.exe

  4. What is the MD5 hash of the ransomware? (2 points)

    In Wireshark, if you go to File > Export Objects > HTTP and then select and save the ransomware executable, you can run the following command to get the MD5 hash:

    md5sum safecrypt.exe

    Answer: 4a1d88603b1007825a9c6b36d1e5de44

  5. What is the name of the ransomware? (2 points)

    Searched the file name, JoeSandbox flagged it with applicable Yara rules.

    Answer: TeslaCrypt

  6. What is the encryption algorithm used by the ransomware, according to the ransom note? (2 points)

    Seen in help_recover_instructions.png.

    Answer: RSA-4096

  7. What is the domain beginning with ‘d’ that is related to ransomware traffic? (3 points)

    Can be seen in packet #623.

    Answer: dunyamuzelerimuzesi.com

  8. Decrypt the Tender document and submit the flag (3 points)

    We need to use TeslaDecoder on this, TeslaCrack doesn't work on the .micro extension. On Linux, the executable can be ran with Wine without issues.

    Answer: BTLO-T3nd3r-Fl@g

Tags

  1. network-analysis (Private)
  2. ransomware (Private)
  3. wireshark (Private)
  4. tshark (Private)
  5. tcpdump (Private)